QUESTION

I received an alert, or queried some logs, where the username is displayed as "HIDDEN_DUE_TO_SECURITY_REASONS". Why is that?

ANSWER

This username masking is actually performed by CloudTrail, not Panther. AWS provides the following explanation:


 The userName field contains the string HIDDEN_DUE_TO_SECURITY_REASONS when the recorded event is a console sign-in failure caused by incorrect user name input. CloudTrail does not record the contents in this case because the text could contain sensitive information, as in the following examples: